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REMARKS 

The Examiner has rejected Claims 1-3, 6-12, 15-21, and 24-27 under 35 U.S.C. 
102(e) as being anticipated by Schertz et aL (U.S. Publication No. 2003/0084322 Al). 
Applicant respectfully disagrees with such rejection. 

With respect to each of the independent claims, the Examiner has relied on 
paragraphs [0018], [0021], [0023], and [0030] from the Schertz reference to make a prior 
art showing of applicant's claimed "detecting from said plurality of log data messages 
received by said managing computer a pattern and a network-wide threshold of malware 
detection across said plurality of network connected computers matching at least one 
predetermined trigger 5 * (see this or similar, but not necessarily identical language in each 
of the independent claims). 

Applicant respectfully asserts that the excerpts from Schertz relied on by the 
Examiner merely teach a method of performing network-based intrusion detection on 
packets inbound from the internet via a firewall or proxy server destined for a device or 
multiple devices on the network. In addition, the excerpts teach that "[n]etwork-based 
intrusion protection systems analyze data inbound from the Internet and collects network 
packets to compare against a data base of various known attack signatures or bit 
patterns. 5 * In sharp contrast, applicant claims "detecting from said plurality of log data 
messages received by said managing computer a pattern and a network-wide threshold of 
malware detection across said plurality of network connected computers matching at least 
one predetermined trigger" (emphasis added), in the context claimed. 

In the Office Action dated 07/26/06, the Examiner has argued that "Schertz et al. 
teaches virus intrusion detecting/monitoring/scanning of ALL devices on a network 
network-wide, [that] network-based virus intrusion detection system typically monitors 
all network activity and network traffic, [and that] Network-based virus intrusion 
protection systems analyze data inbound from the internet and collects network packets to 
compare against a database of various known attack signatures or bit patterns.*' 
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Applicant respectfully disagrees, and asserts that merely detecting, monitoring 
and scanning all network activity, as the Examiner has noted, fails to even suggest any 
sort of network- wide threshold, in the manner claimed by applicant In addition, simply 
disclosing comparing network packets against a database of various known attack 
signature, as also noted by the Examiner, does not specifically meet a "network-wide 
threshold of malware detection across said plurality of network connected computers, 1 * as 
applicant claims (emphasis added). 

With respect to each of the independent claims, the Examiner has also relied on 
paragraphs [0003] and [001 8] from the Schertz reference to make a prior art showing of 
applicant's claimed "network-wide threshold being applied to a sum of detections, the 
detections each being associated with a different one of the network connected 
computers" (see this or similar, but not necessarily identical language in each of the 
independent claims), 

Applicant respectfully points out that the excerpts from Shertz relied on by the 
Examiner merely disclose that "[a} network-based system typically monitors all network 
activity and network t^affic 5, (paragraph [0003]) and that "[n]etwork-based intrusion 
protection systems analyze data inbound from the Internet and collects network packets 
to compare against a data base of various known attack signatures or bit patterns" 
(paragraph [0018]-emphasis added). Applicant respectfully asserts that simply 
" collectfing] network packets to compare against a data base," as in Shertz, does not 
teach applying a "network-wide threshold" to "a sum of detections, " let alone where such 
detections are each "associated with a different one of the network connected 
computers," as claimed by applicant (emphasis added), 

Additionally, the Examiner has rejected Claims 1, 10, and 19 under 35 U.S.C. 
102(e) as being anticipated by Chefalas et al (U.S. Publication No. 2002/01 16639 Al). 
Applicant respectfully disagrees with such rejection. 
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With respect to each of the independent claims, the Examiner has relied on 
paragraph {0012], Fig. 4A-B, and Fig. 5A-B from the Chefalas reference to make a prior 
art showing of applicant's claimed "pattern and a network-wide threshold of malware 
detection across said plurality of network connected computers matching at least one 
predetermined trigger" (see this or similar, but not necessarily identical language in each 
of the independent claims). 



Applicant respectfully asserts that such excerpts merely teach that "p]n response 
to detecting a virus infection, the VSN at the client data processing system sends 
notification of a presence of the virus on the data processing system to a software module 
known as the virus scanner controller (VSC) residing at a server, wherein the notification 
. includes an identification of an action taken in response to detecting the vims" and that 
"the server data processing system may execute an action based on a business policy in 
response to receiving the notification" (emphasis added). Additionally, the figures relied 
upon by the Examiner simply illustrate "business events" and "iUustrations of policies for 
taking action in response to notification of a virus." 

Applicant respectfully asserts that merely ' detecting a virus infection. " sending 
"notification of a presence of the virus" as well as "an action taken in response to 
detecting the virus," and executing "an action based on a business policy. " as in Chefalas, 
does not teach any sort of threshold, let alone a " pattern and a network-wide threshold of 
malware detection across said plurality of network connected computers matching at least 
nna prftdefftrminftH fejgggx as claimed by applicant (emphasis added). 

Additionally, with respect to each of the independent claims, the Examiner has 
relied on paragraphs [0012], [0022]-[0024], and [0057]-[0058] from the Chefelas 
reference to make a prior art showing of applicant's claimed "network-wide threshold 
being applied to a sum of detections, the detections each being associated with a different 
one of the network connected computers" (see this or similar, but not necessarily 
identical language in each of the independent claims). 
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Applicant respectfully points out that the excerpts relied on by the Examiner 
merely teach that "the VSN at the client data processing system sends notification of „ 
presence of the virus on the data processing system to a software module" (paragraph 
[0012]) and that "the business event is compared tn pnli^ . . [and] an action is initiated 
based on the comparison" (paragraph [0058]-emphasis added). Such excerpts also teach 
that the "[n]etwork data processing system 100 is a network of comp os in wn ich the 
present invention may be implemented" (emphasis added). However, merely disclosing 
the "presence of the virus" on a network and comparing a "business event" to a "policy," 
as in Chefalas, does not teach the use of a " network-wide threshold " 0 r a "sum of 
detections, " much less a "network-wide threshold being applied to a sum of detection. 
the detections each being associated with a different one of the network connected 
computers," as claimed by applicant (emphasis added), 

Also, the Examiner has rejected Claims 1, 10, and 19 under 35 U.S.C. 102(e) as 
being anticipated by Hypponenetal (U.S. Publication No. 2003/0191957 Al). Applicant 
respectfully disagrees with such rejection. 



With respect to each of the independent claims, the Examiner has relied on 
paragraphs [0035] and [0036], as well as Fig. 1 from the Hypponen reference to make a 
prior art showing of applicant's claimed "detecting from said plurality of log data 
messages received by said managing computer a pattern and a network-wide threshold of 
malware detection across said plurality of network connected computers matching at least 
one predetermined trigger, the network-wide threshold being applied to a sum of 
detections, the detections each being associated with a different one of the network 
connected computers" (see this or similar, but not necessarily identical language in each 
of the independent claims). 



Applicant respectfully asserts that such excerpts from Hypponen merely teach that 
"[t]he agent's function is to intercept data which is hein? transferred throup h the 
[protected] system 4 on which the agent is ruiming. . . [and that t]he intercepted data is 
scanned on-the-fly by the aggnj to determine whether or not the data has a form which 
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may contain a virus" (paragraph [0035)-emphasis added). Such excerpts also teach that 
"any data which is identified by the agent as being suspect, is re-routed over the network 
1, from the protected system in questio n, to ihe virus scanning server 7. . . [and that u]pon 
receipt of the suspect data, the server 7 scans the data for viruses" (paragraph [0035]- 
emphasis added). 

Applicant respectfully asserts that there is simply no disclosure in the excerpts 
relied on by the Examiner of "a pattern and a network-wide threshold of malware 
detection" (emphasis added), as claimed by applicant For example, "interceptringl data 
which is being transferred through the rnrotP. ctedl system. " "scanrinel on-the-flv bv the 
agent" for viruses, and re-routing suspect data "to the virus scanning server," as in 
Hypponen, does not meet any sort of a "threshold" or "a sum of detections," much less a 
"network-wide threshold being applied to a sum of detections, the detections each being 
associated with a different one of the network c onnected commits » as applicant 
specifically claims (emphasis added). 

In the Office Action mailed 7/26/2006, the Examiner has argued that Hypponen 
"teaches a virus scanning server 7 scanning and detecting the received suspicious log data 
using F-PROT TM, and F-SECURE TM, and/or detecting virus on a network-wide 
connected computer" where «[d]etected/suspected data packets. . .ate compared with 
known virus signature." Applicant respectfully asserts that merely detecting viruses on a 
network connected computer, as the Examiner notes, does not even suggest any sort of 
threshold, let alone "a network-wide threshold of malware detection across said nlnratttv 
of network connected computers ," as applicant specifically claims (emphasis added). 
Moreover, simply nowhere in Hypponen is there any disclosure of a sum of detections as 
applicant claims. 
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